Topic: A Proposal for Brainwallets (v2) - page 2. (Read 3219 times)

I agree about the electrum seed, and it also has key stretching.

I don't even think you can say it's impossible to create your
secure phrase.  maybe not provably secure...but you can
easily create weirdness and entropy using mental techniques,
and add additional entropy with nonsense words, misspellings, and throw in a few
numbers in there....it will be fine if you know what you are
doing (don't try this at home) and dont do something stupid
like use movie phrases.

pitfalls, yes. impossible, no.

Granted, I would rather use electrum because it's more easily memorized.

As fireduck mentioned in his detailed blog, http://correcthorsebatterystaple.net/ is one example of a method to generate a highly secure, easily memorized, brain wallet. It's not "impossible". It just needs to be done carefully.

Here is my brain wallet, generated from correcthorsebatterystaple.net. Hack it and win 1 BTC!

https://blockchain.info/address/1LyoCGuuBQzqKintFHsgNEm5ZDR91prUku

Someone has took them
19aREH3jaDba1xt14zhaUvzyAhzphdAwJN

http://1209k.com/brainv2/

Are you sure about that last sentence? Electrum seeds are quite easy to memorize and they have 128 bits of entropy.

You've got me wrong, I'm all against brainwallets. Just tried to help the beginner who asked "Is there a denomination for 'Entropy'?" to get some basic ideas without directing him to Wikipedia article which is overwhelming for the most people.

Virtually all of those calculators are completely wrong.  You cannot simply calculate entropy of a human sourced password without a statistical model at least as powerful as a typical human mind. Advice like assuming uniform probability over the character set is provably bad (by virtue of people with ~60 character 'brainwallet' keys which have been compromised) and you should feel bad for suggesting it.

This is about the N-th time this bad idea has been brought up here. Please use the search.

I should direct you specific to my last rant on the subject: https://bitcointalksearch.org/topic/m.3345309

It's very hard to advance the art here, even with awesome strengthening because there is no salt (and cannot be really effectively— if there were place to store the salt, forget the brain nonsense and just use the salt as a strong random key) and because the data is constantly available to attackers. This means that even if a cracking farm goes slowly— maybe only 1000 attempts per second— once you have a million users using it you're getting an effective rate of a billion attempts per second.  Then you run into the really strong resistance people have had in having effective strengthening: Strengthening enough to be more than the smallest speedbump is just not usable implemented in Javascript and this is constantly used as an excuse to do weak things...

and then you multiply it by the surprisingly unreliability qualities of human memory. It's just a bad idea all around, and it's irresponsible engineering to suggest anyone use this sort of scheme.

http://ritcyberselfdefense.wordpress.com/2011/09/24/how-to-calculate-password-entropy/

Is there some way of checking the entropy of a Human-Chosen phrase ?

Is there a denomination for 'Entropy' ?

Can one thing be said to be more entropic than another.. and if so, how do you calculate it ?

 

While that is true, attackers do not have unlimited resources and there are some situations where people really like brain wallets.  I wouldn't say it is appropriate for many use cases, but I'd say it is for some.

Key stretching does nothing to improve entropy, which is the real problem with so-called brainwallets.
It is simply impossible to have a human-chosen passphrase as a secure key, no matter how you do it.
A high-entropy passphrase will almost certainly be very difficult to memorise for a human.

The obvious solution to this problem (which applies to any password, not only one that protects bitcoins) it to pick a text that they cannot find.

A better solution is to add something unusual to the pass phrase. Even if pass phrases are hashed a million times, a 1 TH/s ASIC could still generate a million candidates per second. Not only does making the pass phrase longer make it take longer to generate the correct hash, but it makes it more costly to check the hashes.

Imagine creating a pass phrase by selecting four random words from a 1,000 word dictionary. A hacker with a 1 TH/s ASIC can generate a table of all possible hashes in one second and the size of the table will be 32 TB (actually much less with compression).

If the pass phrase is hashed a million times, then it will take a million seconds to generate the table and that is a benefit. However, if two more words are added to the pass phrase, then not only would it take a million seconds, but it would also make the table a million times bigger.

Using scrypt instead, as jcrubino suggests, is a good idea too because scrypt is designed to be resistant to password cracking. Whoever decided to use SHA-256 for hashing a brain wallet password knew very little about security.

warpwallet https://keybase.io/warp/

Uses scrypt to hash the passphrase first.

http://1209k.com/brainv2/

About

People love the idea of a memorizable key for bitcoin wallets. There is an appeal to having something in your head worth something and having it written no where and not stealable without a $5 wrench.

Problem

What people currently refer to as a "brainwallet" is simply a passphrase run through a single SHA-256 and then the result is the private key for a bitcoin address. The problem here is that an attacker can download the blockchain and then run very fast attacks basically hashing any text they can find to see if it hashes to a key which has some bitcoins. And when they find one, they drain that address. They can do this very fast since a single SHA-256 is quite cheap. This leads to sadness.

Solution

An awesome answer is key stretching. The short version is that a function is used to make it more time complex to test a key. As a simple example, lets say rather than SHA-256 once, it is SHA-256 a million times. That means it is a million times more expensive for an attacker to test each possible password. Then you make it even better by adding in something unique to the user. This makes the attacker have to do much more work as each different salt uses a different input on its million SHA-256 operations.